If you are going to have more than eight subnets, then it does limit your options a bit.
The first step that you took with creating aliases for each of the subnets on em1 should have worked (as long as no vlan tagging is done on the switches). Why don't you try that and then try to do some ping tests.
I will try this again when I am back in the office on Tuesday. When I tried this before I could ping each of the EM1 alias addresses fine but I could not ping any IP on a different subnet from a PC. I will set it up that way again and let you know what happens.
OK, I have setup EM1 with the following IP addresses:
These are all 24bit subnets. I can ping each one of the addresses. Now I need to be able to reach machines on subnet 12 from subnet 10. I cannot get this to work. I have a machine with an IP of 192.168.10.5 and another with an IP of 192.168.12.5 I need to be able to communicate between them. I am not sure what I need to do in the way of rules or some kind of routing etc. Is this even possible?
So I came across this thread: https://community.mcafee.com/message/150868#150868
Post #2 states that you must use this command from the CLI: $> cf agent modify name='TCP/UDP Packet Filter' intrazone_forwarding=yes
Once I did that it appears to be working. I will do some further testing to make sure. It would be nice to have this an option in GUI. Is there a document somewhere that lists all of the commands available in the CLI?
I was going to mention intrazone forwarding right away, but you have different zones on all your interfaces (or the screenshot shows you do) so you shouldn't need intrazone forwarding for this (since you are going from one zone to a different zone, not within the same zone).
Here is the 8.3.x CLI Guide:
This link will open a PDF.
Sorry yes I did have different Zones when I was trying the VLAN routing. I changed it to one zone and setup one interface with multiple IP addresses. I think me not knowing the term Intrazone Forwarding didn't help me much lol. I appreciate the link to the CLI commands!
I've just read these posts. I have a question: If you set up just one interface with multiple IP addresses and one unique zone, you can't enforce any policy between networks because they are in the same zone. I read from documentation that policy enforcement applies when traffic traverse from one zone to another one.
My understanding is with this scenario firewall is only used like a router and not as firewall.on 10/07/13 14:04:22 ART
My expierience with doing this is the firewall will not automatically route between the different subnets. You must create rules that allow an address in one subnet access an address in another subnet even if they are on the same inteface and in the same zone. This being the case you can control what services or applications are allowed to route to the other subnets. You would just use the source and destination endpoints properties of the rules to determine which subnets can access each other. You will have to also create IP Range network objects to use in the rules. So yes you can enforce policies when traversing across different subnets in the same zone.